Injecting ads through DNS hijacking

When you browse the Internet, your PC contacts a DNS server to resolve the domain of the website you’d like to access. The DNS server returns the IP address of the website, which your PC then accesses to get the content to display.

Figure 3. Normal domain name resolution by legitimate DNS servers

BrowserModifier:Win32/Clodaconas compromises this process to inject ads. It modifies DNS settings in your registry so that they point to a rogue DNS server. All DNS queries are therefore redirected to this DNS server, which resolves specific domains to the IP address of another attacker-controlled server.

This results in a man-in-the-middle (MITM) attack. Instead of getting content directly from the server of the website you’re accessing, your PC gets content from the MITM server. It contacts legitimate websites to get the actual content you’re looking for, but modifies it before it is displayed on your browser. This is how the unwanted ads are displayed on your search results pages or on online retail websites.

This method of injecting ads meets the evaluation criteria that Microsoft Malware Protection Center (MMPC) uses for identifying unwanted software. This threat modifies webpage content without your consent. It also does this without using the browser’s supported extensibility models, hence our classification of this program as unwanted software.

Using rogue root certificate

Many websites use SSL encryption to protect transactions. This mechanism also prevents the modification of content served by websites. Browsers check the validity of a website’s SSL certificate against trusted root certification authorities’ certificates stored on your PC. Browsers show a warning page or icon if a website’s certificate is not trusted.

To avoid triggering this alert, BrowserModifier:Win32/Clodaconas installs a root certificate as a trusted root certification authority. With the rogue root certificate installed, ads can be injected into encrypted content and still appear valid to the browser.

You may need to clear your browser cache after the threat is removed. The browser might still hold cache of a website you recently visited, so you might still see the ads.

Prevention, detection, and recovery

Stay protected from BrowserModifier:Win32/Clodaconas and other threats:

Keep your Windows operating system and antivirus up-to-date; if you haven’t already, upgrade to Windows 10.

Use Microsoft Edge. It can help warn you about sites that are known to be hosting exploits and other threats, help protect you from social engineering attacks such as phishing and malware downloads, and Automatically detect bad changes and protect settings.

Use the Settings app to reset to Microsoft recommended defaults if your default apps were changed. Launch the Settings app. Navigate to the Default apps page. From Home go to System > Default apps. Click Reset.

Ensure your antimalware protection (such as Windows Defender and Microsoft Malicious Software Removal Tool) is up-to-date. If you are using Windows Defender, you can check your exclusion settings to see whether the malware added some entries in an attempt to exclude folders from being scanned. To check and remove excluded items in Windows Defender: Navigate to Settings > Update & security > Windows Defender > Add an exclusion. Go through the lists under Files and File locations, select the excluded item that you want to remove, and click Remove. Click OK to confirm.

Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10. Go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.

Featured Posts

In the first blog post of this 3-part series, we introduced what rapid cyberattacks are and illustrated how rapid cyberattacks are different in terms of execution and outcome. In the second blog post, we provided some details on Petya and how it worked. In this final blog post, we will share: Microsoft’s roadmap of recommendations...

The word strategy has its origins in the Roman Empire and was used to describe the leading of troops in battle. From a military perspective, strategy is a top-level plan designed to achieve one or more high-order goals. A clear strategy is especially important in times of uncertainty as it provides a framework for those...

Last week the technology industry and many of our customers learned of new vulnerabilities in the hardware chips that power phones, PCs and servers. We (and others in the industry) had learned of this vulnerability under nondisclosure agreement several months ago and immediately began developing engineering mitigations and updating our cloud infrastructure. In this blog,...

For several years now, policymakers and practitioners from governments, CERTs, and the security industry have been speaking about the importance of public-private partnerships as an essential part of combating cyber threats. It is impossible to attend a security conference without a keynote presenter talking about it. In fact, these conferences increasingly include sessions or entire...